Forum Discussion
Password Expiration with AAD connect Password hash sync
When the on-premise password expiration policy is set to 90 days and the Azure AD policy is also set to 90 days, the password expires at the same time for on-premise and in the cloud, regardless when the Azure AD policy pwd is set to on?
Thanks
I try to give you a detailed answer.
Until you have the EnforceCloudPasswordPolicyForPasswordSyncedUsers disabled (which is the default), an Azure AD user coming from on-premise AD (synced by AAD Connect) has its account password set to Never Expire.
"Password expiration policy
If a user is in the scope of password hash synchronization, by default the cloud account password is set to Never Expire.
You can continue to sign in to your cloud services by using a synchronized password that is expired in your on-premises environment. Your cloud password is updated the next time you change the password in the on-premises environment."
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#public-preview-of-the-enforcecloudpasswordpolicyforpasswordsyncedusers-feature | Microsoft Docs
Once you enable the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature and set the PasswordPolicies attribute to None (instead of DisablePasswordExpiration), the expiration time for an Azure AD user should be calculated referring to read-only attribute LastPasswordChangeTimestamp (you can retrieve it by using the Get-MsolUser cmdlet), depending on expiration policy.
Now if you have AAD Connect with password hash sync, same password expiration policy set on both Azure AD and on-premise AD (e.g. 90 days), every time a password is changed on-premise AD, pwdlastset attribute is updated, the password itself synced with Azure AD and the LastPasswordChangeTimestamp updates accordingly - so they both expires at same time (maybe few minutes off); if you also have the password writeback functionality in place (link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback | Microsoft Docs) the behavior described above works when the password is change from Azure AD and synced back to on-premise AD.
It should be right (please, can someone else confirm that ?)
I hope I was clear.
Bye,
Luca
Thanks for detailing this step by step and it is helpful!
A question on this to get further more clarity - After implementing all this policy changes what happens the next time when a user resets his password and it is synced to AzureAD via AD sync tool ?
Is it expected that the "PasswordPolicies" attribute again going back to "DisablePasswordExpiration" so that against each password sync the "PasswordPolicies" attribute to be set as "None" using a daily script or something ?
Hello Sujesh1415,
assuming you enabled the EnforceCloudPasswordPolicyForPasswordSyncedUsersfeature, as per Microsoft article http://Implement%20password hash synchronization with Azure AD Connect sync:
"...Azure AD does not go to each synchronized user to remove the DisablePasswordExpiration value from the PasswordPolicies attribute. Instead, the DisablePasswordExpiration value is removed (None) from PasswordPolicies during the next password hash sync for each user, upon their next password change in on-premises AD".
Microsoft recommends enabling EnforceCloudPasswordPolicyForPasswordSyncedUsers prior to enabling password hash sync, so that the initial sync of password hashes does not add the DisablePasswordExpiration value to the PasswordPolicies attribute for the users.
But if you enabled the feature AFTER setting up password hash sync, then you have to choices for setting PasswordPolicies to None:
- Wait for the user’s next password change to occur on the on-premises AD
- Run a PowerShell script (once) to update it:
Single user:
Set-AzureADUser -ObjectId <user ID> -PasswordPolicies NoneAll users:
Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies NoneDoes it answer to your question ?
lucafabbri365
I'm investigating enabling the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature for our org. I plan to address Service accounts that currently do not have their passwords expire by putting them into a No Password Expiration group and manually changing the PasswordPolicy attribute to DisablePasswordExpiration. My question is, based on the current information, that the field will already show "DisablePasswordExpiration" since we enabled sync before enabling CloudPasswordPolicyForPasswordSyncedUsersEnabled. This field will change to "None" on the next sync, but if those accounts do not have expiring passwords, will they ever sync again if the password is never changed? If I set the field manually, will that cancel out the CloudPasswordPolicyForPasswordSyncedUsersEnabled, or does that change the field to none every time that password is changed? My final question is if we have password write-back enabled, will changing the password via self-service count as a change on-prem and sync users with the PasswordPolicy field set to none?
lucafabbri365 Great explanation.
If a company usees Fine-grained Password Policy to apply different password expiration policies inside the same AD domain - would that still work out with Azure AD?
Hello KoflT,
yours is a good question.
Well, Fine-grained Password Policy is supported by Azure Active Directory Domain Services (Azure AD DS) for sure. Azure AD DS integrates with existing Azure AD tenant, but is a different service.
Definition
"Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud."References
- https://azure.microsoft.com/en-us/updates/aadds-fgpp/ (Microsoft Azure)
- https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview#:~:text=Azure%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20provides%20managed%20domain,(DCs)%20in%20the%20cloud. (Microsoft Docs)
- https://docs.microsoft.com/en-us/azure/active-directory-domain-services/password-policy (Microsoft Docs)
Instead, we are speaking about password expiration on Azure AD tenant.
This post https://social.msdn.microsoft.com/Forums/vstudio/en-US/5f10faf7-98ec-4681-96e9-4fc987a564e1/onpremise-password-policy-amp-azure-ad-password-policy?forum=WindowsAzureAD (Visual Studio forums) treats the same argument: basically, you can define a password policy per custom domain in Azure AD.
I think the logic is the same I described previously: it depends on the password policy set for the custom domain where Azure AD user belongs and the password policy set for the same user, on-premise: if they match the behavior is the same (password will expire at same time), otherwise they will have different expiration time.
Please, let me know if it's clear, or I can write down some practical examples.
Bye,
Luca
